NETCONF Call home. Rajendra Nagabhushan, Senior Staff Engineer, ADVA Optical Networking Vikram Darsi, Senior Lead Engineer, ADVA Optical Networking

Transcription

1 NETCONF Call home Rajendra Nagabhushan, Senior Staff Engineer, ADVA Optical Networking Vikram Darsi, Senior Lead Engineer, ADVA Optical Networking 15/11/2016

2 Agenda Introduction to Reverse SSH (call home) NETCONF call home overview Opendaylight NETCONF module architecture Adding NETCONF call home support into Opendaylight Demo Future works and deviation (w.r.t. draft-ietf-netconf-call-home-17) Q & A

3 Reverse SSH (call home) PE PE Internet PE1 Private network Firewall/NAT Call home or reverse SSH is a technique where the SSH server initiates a request that the SSH client establish a SSH connection to the server Management Network

4 Reverse SSH (call home) Call home is useful where NE may be deployed behind a firewall that implements NAT Dynamic IP assignment Firewall prevents management access to internal network NE doesn't open any ports for management system to connect to. The operator prefers NE to initiate management connection (easier to secure one open port in data center)

5 NETCONF call home RFC draft: Enables a NETCONF server (network element or device) to initiate a secure connection to a NETCONF client (network management system). Role reversal in TCP layer (while calling home, device is TCP-client). Other layer roles (SSH/TLS server, NETCONF server) remains the same. NETCONF Server(NE) TCP Connection NETCONF Client(Controller) SSH/TLS Session NETCONF Session

6 Opendaylight NETCONF Subsystem

7 Connect to NETCONF Device Method: PUT URI: Headers: Accept: application/xml Content-Type: application/xml Payload: <node xmlns="urn:tbd:params:xml:ns:yang:network-topology"> <node-id>new-netconf-device</node-id> <host xmlns="urn:opendaylight:netconf-node-topology"> </host> <port xmlns="urn:opendaylight:netconf-node-topology">17830</port> <username xmlns="urn:opendaylight:netconf-node-topology">admin</username> <password xmlns="urn:opendaylight:netconf-node-topology">admin</password> <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only> <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">0</keepalive-delay> </node> Reference:

8 Connect to NETCONF Device NetconfTopologyImpl NetconfDeviceSalFacade NetconfDevice NetconfDeviceCommunicator uses NetconfClientConfiguration MD-SAL Protocol Framework NetconfClientDispatcherImpl Channel AsyncSshHandler NETCONF Device

9 Opendaylight NETCONF/NETTY Netty Channel Netty Channel Pipeline IO requests via ChannelHandlerContext Reads from buffer Channel pipeline Buffer Inbound Handler N Outbound Handler 1 Server Channel Buffer Client Inbound Handler N-1 Outbound Handler 2 Writes into buffer Inbound Handler 2 Inbound Handler 1 Outbound Handler M-1 Outbound Handler M Socket.read() Socket.write() Netty internal IO threads (Transport Implementation) Reference:

10 Call home Support Integration NioSocketAcceptor NetconfCallHome NetconfDeviceSalFacade NetconfDevice CallhomeDeviceCommunicator uses ReversedNetconfClientConfiguration MD-SAL Protocol Framework CallhomeClientDispatcherImpl Channel ReversedAsyncSshHandler NETCONF Device Reference:

11 Call home Support Integration

12 Demo REST Client: Postman UI to view the auto discovered NETCONF device data, like capabilities etc. REST Client IP: ODL Controller: Installed call home feature which starts TCP server on port ODL Controller (with call home feature) IP: NETCONF Simulator: ODL NETCONF project has a built in NETCONF simulator. This simulator is modified to initiate TCP connection to the TCP server in the ODL Controller. ODL NETCONF Simulator (Initiates TCP connection) IP:

13 Future works and deviations Enhancements Implement security considerations according to the draft-ietfnetconf-call-home-17 recommendation Certificate based authentication support Precautions to mitigate DoS attacks Deviation Keep-alive mechanism implemented in NETCONF client

14 Summary NETCONF call home can be integrated into Opendaylight as a karaf deployable feature. Addition of call home doesn t impact the functionality of any existing Opendaylight features. Addition of call home feature is useful in many deployment scenarios of Opendaylight controller.

15 Q & A

16 References NETCONF Call Home and RESTCONF Call Home RFC Draft: OpenDaylight Controller:Netconf:Design: Opendaylight Netconf Examples: nf Gerrit Patch by Maros Marsalek: Netty.io :

17 Thank You